In a about the Playstation Network breach, Sony states, "The entire credit card table was encrypted and we have no evidence that credit card data was taken." Sony goes on to claim that it never collects the three-digit CVV number from the back of the card, but later amended that claim to state that it does collect that information, but it does not store it.

Meanwhile, the attackers claim to have the credit card data--including the CVV number--. One of these things is not like the other. It seems difficult--if not impossible--to justify how both parties can be telling the truth.

Unfortunately, it is actually feasible that the data could have been encrypted as Sony claims, yet compromised as the attackers claim. It all depends on how the data was encrypted, and how the attackers breached the Sony network.

security analys Troy Gill clarified that nothing is really known at this point, but added that if the data was encrypted as Sony claims, it is still possible that the attackers could have cracked that encryption by now. "It would depend first on what hash function was used to encrypt the data, obviously if a weaker encryption was used then the easier it would be to break. The amount of resources the hackers were using to break the encryption could also be a factor in the amount of time it would take."

Anton Chuvakin, security expert and co-author of , notes that database table encryption is often poorly implemented. Organizations often that an attacker might easily find once they have access to the network in the first place.